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^ Abstract 

Qh! We introduce a computational problem of distinguishing between two specific quantum states 

' as a new cryptographic problem to design a quantum cryptographic scheme that is "secure" against 

■ any polynomial-time quantum adversary. Our problem QSCD^j is to distinguish between two types 

^ . of random coset states with a hidden permutation over the symmetric group of finite degree. This 

'l naturally generalizes the commonly-used distinction problem between two probability distributions 

^ ^ ' in computational cryptography. As our major contribution, we show three cryptographic properties: 

^ . (i) QSCDff has the trapdoor property; (ii) the average-case hardness of QSCDjj coincides with its 

worst-case hardness; and {in) QSCDjj is computationally at least as hard in the worst case as the 
graph automorphism problem. These cryptographic properties enable us to construct a quantum 
public-key cryptosystem, which is likely to withstand any chosen plaintext attack of a polynomial- 
time quantum adversary. We further discuss a generalization of QSCDjj, called QSCDcyc, and 
introduce a multi-bit encryption scheme relying on the cryptographic properties of QSCDcyc- 
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1 Introduction 



Since Diffie and Hellman jl6j first used a computationally intractable problem to design a key exchange 
protocol, computational cryptography has been extensively studied; especially, a number of practical 
cryptographic systems (e.g., public-key cryptosystems (PKCs), bit commitment schemes (BCSs), pseu- 
dorandom generators, and digital signature schemes) have been proposed under popular intractability 
assumptions, such as the hardness of the integer factorization problem (IFP) and the discrete loga- 
rithm problem (DLP), for which no efficient classical (i.e., deterministic or probabilistic) algorithm 
have been found. Using the power of quantum computation, however, we can efficiently solve various 
number-theoretic problems, including IFP (and the quadratic residuosity problem) DLP (and 
the Diffie- Hellman problem) jlll 1281 and the principal ideal problem j23j . Therefore, a quantum 
adversary (i.e., an adversary who runs a quantum computer) can easily break the cryptosystems whose 
security proofs heavily rely on the computational hardness of these problems. 

Fighting against such a powerful quantum adversary, a new area of cryptography, so-called quantum 
cryptography, has emerged in the past two decades. In 1984, Bennett and Brassard jH] proposed a 
quantum key distribution scheme via a quantum communication channel. Its unconditional security 
was later proven by Mayers Nonetheless, as Mayers jHl] and Lo and Chau [22] independently 

demonstrated, quantum mechanics cannot make all cryptographic schemes information-theoretically 
secure as we had hoped; in particular, they proved that no quantum BCS can be both concealing 
and binding unconditionally. Therefore, "computational" approaches are still important in quantum 
cryptography. Along this line, a number of quantum cryptographic properties have been discussed 
from the complexity-theoretic point of view pi [T^ [TH [T^ [TTll^ . 

A quantum computer is known to be capable of breaking the RSA cryptosystem and other well- 
known classical cryptosystems. It is therefore imperative to discover computationally-hard problems 
from which a secure quantum cryptosystem is constructed against any polynomial-time quantum 
adversary. For instance, the subset sum (knapsack) problem and the shortest vector problem are a 
basis to knapsack-based cryptosystems jSHl 1^ as well as lattice-based cryptosystems 1121 • Since 
it is currently unknown whether these problems withstand any attack of quantum adversaries, we 
need to continue searching for better intractable problems that can guard their associated quantum 
cryptosystems against any powerful quantum adversary. 

This paper introduces the new notion of computational indistinguishability between quantum states, 
which generalizes the classical indistinguishability notion between two probability distributions jHl I19| 
US] . In particular, we present a distinction problem, called QSCD^f^ (quantum state computational 
distinction with fully flipped permutations), between specific ensembles of quantum states. QSCD^f^ 
enjoys remarkable cryptographic properties as a building block of a secure quantum cryptosystem. 

Definition 1.1 The advantage of a polynomial-time quantum algorithm A that distinguishes be- 
tween two ensembles {po(0}iGN and {pi{l)}ieN of quantum states is the function 6_a{1) defined as: 



Pr[^(po(0) = l]-P/[-4(pi(0) = l] 
A A 



Sa{1) 

for two Z-qubit quantum states po(0 and pi{l), where the subscript A means that any output of 
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A is determined by measuring the final state of A in the standard computational basis. We say 
that two ensembles {po(0}ieN and {/3i(0}/gn are computationally indistinguishable if the advantage 
6j[{l) is negligible for any polynomial-time quantum algorithm A; namely, for any polynomial p, any 
polynomial-time quantum algorithm A, and any sufficiently large number I, it holds that dj[{l) < 
l/p{l). The distinction problem between {po(0}'6N and is said to be solvable with non- 

negligible advantage if these ensembles are not computationally indistinguishable; that is, there exist 
a polynomial-time quantum algorithm A and a polynomial p such that 

Pr[^(po(0) = l]-Pr[^(Pi(0) = l] 

for infinitely many numbers I. 

The problem QSCD^f^ asks whether we can distinguish between two sequences of identical samples of 
p^{n) and of (n) for each fixed hidden permutation vr for each length parameter n of a certain form. 
Let Sn be the symmetric group of degree n and let /C„ = {vr G 5„ : vr^ = id and Vi G {1, n}[7r(i) ^ i]} 
for n £ N, where id stands for the identity permutation. 

Definition 1.2 Let N = {2(2n' + 1) : n' G N}. For each vr G /C„, let p+{n) and p-{n) be two 
quantum states defined by 

Ptin) = ^ Y1 (1^) + + (^^1) and p-in) = ^ d^) " " (^^D- 

The problem QSCD^g^ is the distinction problem between two quantum states and 
/9~(n)®'^^"^ for each parameter n in N, where /c is a polynomial. For each fixed polynomial k, we 
use the succinct notation k-QSCT)ff instead. 

To simplify our notation, we often drop the parameter n whenever n is clear from the context. For 
instance, we write for p+(n)®^('^). More generally, fc-QSCD^ can be defined for any integer- valued 
function k. Note that Definition 11.21 uses the parameter n to express the "length" of the quantum 
states instead of the parameter / of Definition 11.11 There is, however, essentially no difference for 
polynomial-time indistinguishability since p^ and p~ can be expressed with O(nlogn) qubits and 
k{n) is a polynomial in n. This parameter n is used to measure the computational complexity of our 
problem and is often referred to as the security parameter in the cryptographic context. 

1.1 Our Contributions 

This paper shows three cryptographic properties of QSCD^gf and its application to quantum cryptog- 
raphy. These properties are summarized as follows, (i) QSCD jj has the trapdoor property; namely, 
for any given hidden permutation vr G /C^, we can efficiently distinguish between p^ and p~ . (ii) The 
average-case hardness of QSCD^ over a randomly chosen permutation vr G /C^ coincides with its 
worst-case hardness. {Hi) QSCD^^^ is computationally at least as hard in the worst case as the graph 
automorphism problem (GA), where GA is the graph-theoretical problem defined as: 
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Graph Automorphism Problem (GA): 
input: an undirected graph G = (V^E)] 

output: YES if G has a non-trivial automorphism, and NO otherwise. 

Since there is no known efficient algorithmic solution for GA, the third property suggests that QSCD^f^ 
should be hard to solve. In a certain restricted case, we can actually show without any assumption 
that no time-unbounded quantum algorithm can solve o(n log n)-QSCD^. Making use of the afore- 
mentioned three cryptographic properties, we can design a computationally-secure quantum PKC 
where its security relies on the worst-case hardness of GA. The following subsection discusses in depth 
numerous advantages of using QSCD^ as a basis of secure quantum cryptosystems. 

Furthermore, we give a generalization of QSCD^fj^, called QSCDc^c, and show its cryptographic 
properties: (i) the trapdoor property and {ii) the equivalence between its average-case and worst-case 
hardness. This new problem becomes a basis for another public-key cryptosystem that can encrypt 
messages longer than those in QSCD^f^. 

1.2 Comparison between Our Work and Previous Work 

In recent literature, computational-complexity aspects of quantum states have been spotlighted in 
connection to quantum cryptography. For instance, the notion of statistical distinguishability between 
two quantum states was investigated by Watrous [17j and also Kobayashi j29j in the context of quantum 
zero-knowledge proofs. They proved that certain problems of statistically distinguishing between two 
quantum states are promise-complete for quantum zero-knowledge proof systems. Aharonov and 
Ta-Shma [2] also studied the computational complexity of quantum-state generation and showed its 
connection to quantum adiabatic computing as well as statistical zero- knowledge proofs. Note that 
our distinction problem QSCD^f^ is also rooted in computational complexity theory. 

In what follows, we briefly discuss various advantages of using QSCD^g^ as a basis of quantum 
cryptosystems in comparison with existing cryptosystems and their underlying problems. 

Average- Case Hardness versus Worst- Case Hardness. The efficient solvability of any given 
problem on average, in general, does not guarantee the problem to be solved efficiently in worst 
case. This makes it desirable to satisfy the following property: the average-case hardness of the 
problem is "equivalent" to its worst-case hardness under a certain type of polynomial-time reduction. 
Unfortunately, few cryptographic problems are known to enjoy this property. 

Roughly, there are two categories of worst-case/average-case reductions discussed in the past lit- 
erature. The first category is a strong reduction, which transforms an arbitrary instance of length 
n to a random instance of the same length or length polynomial in n. In this strong sense, Ajtai 
[2] found a remarkable connection between average-case hardness and worst-case hardness of certain 
variants of the shortest vector problem (SVP). He gave an efficient reduction from the problem of 
approximating the shortest vector in a given n-dimensional lattice in the worst case to the approxi- 
mation problem of the shortest vector in a random lattice over a certain class of lattices with a large 
polynomial approximation factor. Later, Micciancio and Regev [SH] gave the aver age-case/ worst-case 
connection factor of approximately n for approximating SVP (see ^U] and references therein for general 



4 



worst-case/average-case reductions) . 

The second category is a weak reduction of Tompa and Woll [IHI j where the reduction is randomized 
only over a part of its instances. A typical example is DLP, which can be randomly reduced to itself 
by a reduction that maps instances to not all instances of the same length but rather to all instances 
of the same underlying group. Nonetheless, unknown is an efficient reduction from DLP with the 
worst-case prime to DLP with a random prime. Note that Shor's algorithm [1^ efficiently solves DLP 
and the inverting problem of the RSA function with worst-case/average-case reductions of the second 
category. The graph isomorphism problem (GI) and GA — well-known graph-theoretical problems — 
also enjoy such reductions of the second category although there is no known cryptosystem whose 
security relies on their hardness. 

This paper, to the contrary, shows that QSCD^y has a worst-case/average-case reduction of the 
first category. Our reduction depends only on the size of the instance unlike the reduction of DLP. In 
fact, our distinction problem QSCD^f^ is the first cryptographic problem with a worst-case/average- 
case reduction of the first category. Moreover, there is no known efficient solution to QSCD^f^ on a 
quantum computer. Our reduction is similar in flavor to the reductions of the aforementioned lattice 
problems. 

Computational Hardness of Underlying Computational Problems. The hidden subgroup 
problem (HSP) has played a central role in recent discussions on the strength and limitation of quantum 
computation. The aforementioned IFP and DLP can be viewed as special cases of HSP on Abelian 
groups (AHSP). Kitaev jJH] showed how to solve AHSP efficiently; in particular, he gave a polynomial- 
time algorithm for the quantum Fourier transformation over Abelian groups, which is a generalization 
of the quantum Fourier transformation used in Shor's algorithm ^33J. Although an efficient quantum 
algorithm exists for AHSP, a simple application of currently known techniques may not be sufficient 
to solve HSP on non-Abelian groups. (Note that HSP on certain specific non-Abelian groups were 
already solved in [51 El US IS EH ESI- ) Another important variant is the HSP on the dihedral 
groups (DHSP). Recently, Regev |3S] demonstrated a quantum reduction from the unique shortest 
vector problem (uSVP) to a slightly different variant of DHSP. Note that uSVP is a basis of the 
lattice-based PKCs given in IHiE^. For DHSP, Kuperberg |35 found a subexponential-time quantum 
algorithm. Although these results do not directly imply a subexponential-time quantum algorithm for 
uSVP, they may be a clue to find the desired algorithm in the end. 

Our problem QSCD^f^ is closely related to a much harder problem: HSP on the symmetric groups 
(SHSP). Note that no known subexponential-time quantum algorithm exists for SHSP. Hallgren et 
al. [2^] introduced a distinction problem between certain two quantum states, similar to QSCD^, to 
discuss the computational intractability of SHSP by a "natural" extension of Shor's algorithm with 
the quantum Fourier transformation. An efficient solution to this distinction problem gives an answer 
to a pending question on a certain special case of SHSP. To solve this distinction problem, as they 
showed, the so-called weak Fourier sampling on a single sample should require an exponential number 
of samples. This result was improved by Grigni et al. who proved that we need exponentially- 
many samples even by a stronger method called the strong Fourier sampling on a single sample along 
with a random choice of the bases of the representations of Sn- Kempe and Shalev further 
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expanded |211 125j for the computational hardness of SHSP using these quantum Fourier sampUng 
methods. Moore et al. on the contrary, demonstrated that, regardless of methods (like the above 
quantum Fourier sampling methods), any time- unbounded quantum algorithm on a single sample 
needs exp(r2(n)) samples to solve the distinction problem. Even for the two sample case, Moore and 
Russell |37| argued that any time-unbounded quantum algorithm that simultaneously works over two 
samples should use exp(r2(y^/ log n)) samples at best. More recently, Hallgren et al. proved that 
no time-unbounded quantum algorithm solves the distinction problem even from o{n log n) samples. In 
this paper, we further show that the distinction problem is polynomial-time reducible to QSCD^y. This 
immediately implies that we have no time-unbounded quantum algorithm for QSCD^ from o(nlogn) 
samples. Even with sufficiently many samples for QSCDjgr, there is no known subexponential-time 
quantum algorithms for QSCD^ and thus finding such an algorithm seems a daunting task. This 
situation, on the contrary, indicates that our problem QSCD^ should be more suitable than, e.g., 
uSVP as an underlying intractable problem founding a secure cryptosystem similar to the classical 
case of DLP over different groups; namely, DLP over Z* (where p is a prime) is classically solvable in 
sub exponential time whereas no known classical subexponential-time algorithm exists for DLP over 
certain groups in elliptic curve cryptography. It is generally believed that DLP over such groups is 
more reliable than DLP over Z*. 

We prove that the computational complexity of QSCD^ is lower-bounded by that of GA. Note that 
well-known upper bounds of GA are NPnco-AM [1011111, SPP 0, and UAP |T2] but GA is not yet 
known to be in NPnco-NP. Since most cryptographic problems fall in NPPlco-NP, few cryptographic 
systems are lower-bounded by the worst-case hardness of problems outside of NP n co-NP. 

Quantum Computational Cryptography. Apart from PKCs, quantum key distribution gives 
a foundation to symmetric-key cryptology; for instance, the quantum key distribution scheme in [S] 
achieves unconditionally secure sharing of secret keys in symmetric-key cryptosystems (SKCs) through 
an authenticated classical communication channel. Undoubtedly, both SKCs and PKCs have their own 
advantages and disadvantages. Compared with SKCs, PKCs require less secret keys in a large-scale 
network; however, they often need certain intractability assumptions for their security proofs and are 
typically vulnerable to, e.g., the man-in-the-middle attack. As an immediate application of QSCDj^, 
we propose a new computational quantum PKC whose security relies on the computational hardness 
of QSCDj. 

Of many existing PKCs, few make their security proofs solely rely on the worst-case hardness of 
their underlying problems. Quantum adversaries can break many PKCs whose underlying problems 
are number-theoretic because fast quantum algorithms can solve these problems. Based on a certain 
subset of the knapsack problem, Okamoto et al. jU proposed a quantum PKC, which withstands 
certain well-known quantum attacks. Our proposed quantum PKC also seems to fend a polynomial- 
time quantum adversary since we can reduce the problem GA to QSCD^f^, where GA is not known to 
be solved efficiently on a quantum computer. 
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2 Cryptographic Properties of QSCD^ 



Through this section, we want to show three cryptographic properties of QSCD^f^: (z) the trapdoor 
property, (ii) the equivalence between average-case hardness and worst-case hardness, and {in) a 
reduction from QSCD^f^ to other computationally-hard problems. These properties help us construct 
a quantum PKC in Section |21 

All the cryptographic properties of QSCD^f^ are consequences of the following remarkable char- 
acteristics of the set /C„ of the hidden permutations (although the definition of ICn seems somewhat 
artificial), (i) Each permutation vr G /C„ is of order 2. This directly provides the trapdoor property 
of QSCDjf^. (ii) For any vr G /C„, the conjugacy class of vr is equal to /C„. This property enables 
us to prove the equivalence between the worst-case hardness and average-case hardness of QSCD^f^. 
(in) The problem GA is (polynomial-time Turing) equivalent to its subproblem with the promise that 
any given graph has a unique non-trivial automorphism in /C„ or none at all. This equivalence is used 
to give a complexity-theoretic lower bound of QSCD^g^; that is, the average-case hardness of QSCD^j- is 
lower-bounded by the worst-case hardness of GA. For these proofs, we introduce two new techniques: 
(i) a variant of the so-called coset sampling method, which is broadly used in extensions of Shor's 
algorithm (see, e.g., j43J and {ii) a quantum version of the hybrid argument, which is a strong tool 
for many security reductions used in computational cryptography. 

Now, let us assume the reader's familiarity with basics of quantum computation [301 recall the 

two quantum states p+ = 2^ Eae5„(k) + k^))((^l + (^^l) and = 2^ EaeS„(l^) " - (^^1) 

given for a permutation vr G /C„. For convenience, let t(n) (or simply l) denote the maximally mixed 
state ^ J2cr&Sn l''^)^''^! ^^^^ ■^liich will appear later as a technical tool. 

2.1 Trapdoor Property 

The first property to prove is that QSCD^y enjoys the trapdoor property, which has played a key role in 
various cryptosystems in use. To prove this property, it suffices to present an efficient distinguishing 
algorithm between and without knowing their hidden permutation vr G ICn- 

Theorem 2.1 (Distinguishing Algorithm) There exists a polynomial-time quantum algorithm 
that, for a hidden permutation vr G ICn, distinguishes between p^{n) and p^{n) for any n G N with 
probability 1. 

Proof. Fix n arbitrarily. Let x be any given unknown state, which is either p^ or p~ . The desired 
distinguishing algorithm for x works as follows. 

(Dl) Prepare two quantum registers. The first register holds a control bit and the second register 
holds X- Apply the Hadamard transformation H to the first register. The state of the system 
now becomes 

H\O){O\H0x- 

(D2) Apply the Controlled-vr operator C-^ to the two registers, where the operator C-^ satisfies 
Cvr|0)|(T) = \0)\a) and C7r|l)|(T) = |l)|(T7r) for any given a G Sn- Since tt^ = id for every 
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TT E JCn, the state of the entire system can be expressed as 



where and IV'Tr,^) are defined by 

1^^,.) = C,Q|0)(|a)±M) + |l)(|a)±M) 

= ^|0)(k)±|a7r)) + ^|l)(|a7r)±|a)). 

(D3) Apply the Hadamard transformation to the first register. If x is either p+ or p~, then the state 
of the system becomes either 

(/f®/)|V.+,) = -^|0)(|a) + |a7r)) or {H = {\a) - \aT,)) . 

Measure the first register in the computational basis. If the result is 0, then output YES; 
otherwise, output NO. 

Clearly, the above procedure gives the correct answer with probability 1. □ 



2.2 Reduction from Worst Case to Average Case 

We want to reduce the worst-case hardness of QSCD^f^ to its average-case hardness. Such a reduction 
implies that QSCD^fj- with a random permutation tt is at least as hard as QSCD^fj- with the permutation 
TT of the highest complexity. Since the converse reduction is trivial, the average-case hardness of 
QSCDjy is, in fact, polynomial-time Turing equivalent to its worst-case hardness. 

Theorem 2.2 Let k be any polynomial. Assume that there exists a polynomial-time quantum algo- 
rithm A that solves /c-QSCD^ with non-negligible advantage for a uniformly random tt G /C„; namely, 
there exists a polynomial p such that, for infinitely many security parameters n in N , 



¥T[A{pt{nr^^^^) = 1] - Pr [^(p;(n)®^H) = i] 

TT.A TT.A 



1 

> 



p{n) ' 



where vr is chosen uniformly at random from /C„. Then, there exists a polynomial-time quantum 
algorithm B that solves fc-QSCD^ with non-negligible advantage for any permutation tt G /C„. 

Proof. Fix an arbitrary parameter n £ N that satisfies the assumption of the theorem. For each 
i € {1,2, ...,k{n)}, let Xi be the ith state of the given k{n) states. Note that Xi is in {p^,p^}. We 
build the desired worst-case algorithm B from the average-case algorithm A in the following way. 

(Rl) Choose a permutation t E Sn uniformly at random. 
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(R2) Apply r to each Xi, where i G {1, ...,k}, from the right. If Xi = pt^ then we obtain the quantum 
state 

^ 2n! ^ ^^^'^^ |crrr"Vr))((o-T| + (o-tt"Vt|) 
= ^ E d^') + kV-VT))((a'| + (aV-Vrl). 

When Xi = ^ instead obtain x'i = do"') ~ \^''''~^'^''')){{^'\ ~ (o"'r~^7rT|). 

(R3) Invoke the average-case quantum algorithm A on the input x'i- 
(R4) Output the outcome of A. 

Note that r^^vrr belongs to /C„ for any r. Moreover, there exists a t £ Sn satisfying that T~^7rr = vr' 
for each vr' € ICn- Hence, the conjugacy class of vr is equal to ICn- In addition, the number of all 
permutations t £ Sn for which r~^7rr = vr' is independent of the choice of vr' G /Cn- These properties 
implies that r^^vrr is indeed uniformly distributed over /C„. Therefore, by feeding the input (S)i=i x'i 
to the algorithm A, we achieve the desired non-negligible advantage of A. □ 

2.3 Computational Hardness 

The third property of QSCD^ relates to the computational hardness of QSCDjj. We want to present 
two claims that witness its relative hardness. First, we prove that the computational complexity of 
QSCDjf^ is lower-bounded by that of GA by constructing an efficient reduction from GA to QSCD^f^. 
Second, we discuss a relationship between QSCDjj and SHSP and prove that QSCD^f^ cannot be solved 
from o(nlogn) samples. 

Now, we prove the first claim on the reducibility of GA to QSCD^f^. Our reduction from GA to 
QSCDjf^ consists of two parts: a reduction from GA to a variant of GA, called UniqueGA^, and 
a reduction from UniqueGAjf^ to QSCD^y. To describe the desired reduction, we first introduce two 
variants of GA. Earlier, Kobler et al. introduced the following unique graph automorphism problem 
(UniqueGA). 

Unique Graph Automorphism Problem (UniqueGA): 
input: an undirected graph G = {V,E); 

promise: G has either a unique non-trivial automorphism or no non-trivial automorphism; 
output: YES if G has the non-trivial automorphism, and NO otherwise. 

Note that UniqueGA is called (IGA, GA) as a promise problem in To establish a direct connec- 
tion to QSCD^, we further introduce the unique graph automorphism with fully-flipped permutation 
(UniqueGAjgr). 

Unique Graph Automorphism with Fully-Flipped Permutation (UniqueGA^): 
input: an undirected graph G = {V, E), where \V\ = n £ N; 
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promise; G has either a unique non-trivial automorphism tt G tCn or no non-trivial auto- 
morphism; 

output: YES if G has the non-trivial automorphism, and NO otherwise. 

Note that the instance G of UniqueGAjf^ is defined only when the number n of nodes belongs to the 
set N = {2{2n' + 1) -.neN}. 

We prove two useful lemmas regarding UniqueGA^. The first lemma uses the so-called coset 
sampling method, which has been largely used in many extensions of Shor's algorithm. 

Lemma 2.3 There exists a polynomial-time quantum algorithm that, given an instance G of 
UniqueGAjf^, generates a quantum state if G is an "YES" instance with its unique non-trivial 
automorphism tt, or generates t' = ^ Yla&s„ if C is a "NO" instance. 

Proof. Given an instance G of UniqueGA^, we first prepare the quantum state 

YlaeSn where a{G) is the graph resulting from relabeling its nodes according to each 

permutation a. By discarding the second register, we obtain the unique quantum state x in the first 
register. This x satisfies x = if G is an "YES" instance with the unique non-trivial automorphism 
vr, and X = otherwise, as requested. □ 

The second lemma requires a variant of the coset sampling method as a technical tool. The lemma 
in essence relies on the fact that the hidden vr is an odd permutation. This is one of the special 
properties of /C„. 

Lemma 2.4 There exists a polynomial-time quantum algorithm that, given an instance G of 
UniqueGA^, generates the quantum state p~ if G is an "YES" instance with the unique non-trivial 
automorphism tt or generates t if G is a "NO" instance. 

Proof. Similar to the algorithm of Lemma l2.3( we start with the quantum state So-eSn \^)\^(^)) 
in two registers. Compute the sign of each permutation in the first register and then invert 
its phase exactly when the permutation is odd. Consequently, we obtain the quantum state 
1)'^S'^'^°')|(t)|(t(G)), where sgn{a) = if cr is even, and sgn(cj) = 1 otherwise. By dis- 
carding the second register, we obtain a certain quantum state, say, x i^i the first register. Note that, 
since vr is odd, if a is odd (even, resp.) then crvr is even (odd, resp.). Therefore, it follows that x = 
if G is an "YES" instance with the unique non-trivial automorphism vr, and x = otherwise. □ 

We are now ready to present a reduction from GA to QSCD^. This concludes that QSCD^f^ is 
computationally at least as hard as GA for infinitely-many input lengths n. 

Theorem 2.5 If there exist a polynomial k and a polynomial-time quantum algorithm that solves 
A;-QSCDjf^ with non-negligible advantage, then there exists a polynomial-time quantum algorithm that 
solves GA in the worst case for infinitely-many input lengths n. 

Proof. We first show that GA is polynomial-time Turing equivalent to UniqueGA^ and then give a 
reduction from UniqueGA^ to QSCD^. The reduction from GA to UniqueGA^ is similar to the one 
given by Kobler et al. [HU], who presented a polynomial-time Turing reduction from GA to UniqueGA. 
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Their polynomial-time algorithm for GA invokes UniqueGA as an oracle on a promised input, which 
is a graph of even number of nodes with either the unique non-trivial automorphism without any fixed 
point or no non-trivial automorphism at all. Modifying the construction of their reduction, we can 
easily obtain our reduction from GA to UniqueGAjf^. Furthermore, it is possible to make the length 
n satisfy the equation n = 2(2n' -|- 1) for a certain n' G N by a slight modification of their argument. 
Therefore, we obtain the following lemma. 

Lemma 2.6 UniqueGAjf^ is polynomial-time Turing equivalent to GA. 

Actually, a much stronger statement holds. When a Turing reduction to a promise problem makes 
only queries that satisfy the promise, the reduction is called smart 22 . Such a smart reduction is 
desirable for a security reduction of a cryptosystem. Since the reduction from GA to UniqueGA in 
is indeed smart, so is our reduction. For readability, we postpone the proof of Lemma I2.HI until 
Appendix. 

From Lemma l2.H| it suffices to construct a reduction from UniqueGAjQ^ to QSCD^. Assume that 
there exist two polynomials k,p and a polynomial-time quantum algorithm A such that, for infinitely 
many n's, A solves k-QSCDjj with advantage l/p{n). Let us fix an arbitrary n for which A solves 
k-QSCDff with advantage l/p(n). For any given instance G of UniqueGAjg^, we perform the following 
procedure: 

(51) Generate two sequences 5+ = (x^®^, and = (x"®*", of 8p^{n)n instances 
from G using the algorithms of Lemmas 12.31 and 12.41 respectively. 

(52) Invoke A on each component in and as an input. Let = {A{x'^^'')^ ■■■■i-^ix'^^^)) 
and = {A{x~^'')i •^(x"'^'^)) be the resulting sequences. 

(53) Output YES if the difference between the number of I's in R^ and that in R~ is at least 4p(n)n; 
output NO otherwise. 

8p^{n)n 8p^(n)n 



Note that if G is an "YES" instance, then we have 5"+ = {pf^'', ■■■,pt'^'') and S' = {p'®'' , ...,p~'' 



otherwise, we have S+ = S- = {l'^'', Therefore, as far as G is an "YES" instance, the numbers 

of I's in R^ and in R~ are clearly different. 

Finally, we estimate the above difference. Let and X~ be two random variables respectively 
expressing the numbers of I's in R~^ and in R~ . Assume that G is an "YES" instance. The Hoffding 
bound implies Pr [I 1 > 4p{n)n] > 1-26"" since | Pr[^(p+®'=) = l]-Pr[^(/9-®^) = 1]| > l/p(n) 
from our assumption. Similarly, when G is a "NO" instance, we have Pr[|X+ — X^\ < 4p{n)n] > 
1 — 2e~". This guarantees that the above procedure solves UniqueGA^ efficiently. □ 

As noted in Section ^ our distinction problem QSCD^f^ is rooted in SHSP. It is known that a 
special case of SHSP is reduced to the distinction problem between {p^{n)}n£N and {i{n)}n£N- As 
Hallgren et al. [21] argued, this problem cannot be solved by any time-unbounded quantum algorithm 
over o(n log n) identical samples. Regarding our second claim, we want to show a close relationship 
between QSCD^ and this distinction problem between {p^{n)}n£N and {i(n)}„g7v 
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Before stating the second claim, we present an algorithm that converts to for any fixed 
TT E /C„. This algorithm is a key to the proof of the claim and further to the construction of a 
quantum PKC in the subsequent section. 

Lemma 2.7 (Conversion Algorithm) There exists a polynomial-time quantum algorithm that, 
with certainty, converts pt{n) into p^{n) and keeps t(n) as it is for any parameter n & N and any 
hidden permutation vr G /C„. 

Proof. First, recall the definition of sgn((T). Let vr G /C„ be any hidden permutation. For its 
corresponding quantum state the desired algorithm simply inverts its phase according to the sign 
of the permutation. This is done by performing the following transformation: 

Note that deciding the sign of a given permutation takes only polynomial time. Since vr is odd, the 
above algorithm obviously converts p'^ to p^ . Moreover, the algorithm does not alter the quantum 
state i. □ 

A result similar to also holds for QSCD^f^ on the distinguishing hardness of two quantum 
states. Theorem l2.8l shows that QSCD^ can be reduced to the above distinction problem in polynomial 
time. As an immediate consequence, no time-unbounded quantum algorithm can solve QSCD^f^ from 
o(n log n) samples. The proof of the theorem requires a quantum version of the so-called hybrid 
argument. 

Theorem 2.8 Let k be any polynomial. If there exists a quantum algorithm A such that 

^®fe(n)) Pr[^(p-(n)®'=(")) = 1] > e{n) 

for any security parameter n £ N, then there exists a quantum algorithm B such that, for each n £ N, 



Pv[A{pt{n) 



Pr[e(p+(n) 



> 



e{n) 



Proof. Fix n £ N arbitrarily and we hereafter omit this parameter n. Assume that a quantum 
algorithm A distinguishes between p^®*^ and p"®^ with advantage at least e(n). Let A' be the 
algorithm that applies the conversion algorithm of Lemma 12.71 to a given state x (which is either p^^^ 
or i®*^) and then feeds the resulting state x' (either p~®'^ or i®'^) to A. Note that ^'(p+®'^) = A{p~'^'') 
and A'{l^'') = A{i^^) by our definition. It thus follows by the triangle inequality that 



Fr[Aip: 



1] - Pt[A{l 



1] 



+ 



1]-Pr[^'(.' 



1] 



> e(n) 



for any parameter n £ N. This inequality leads us to either 



1] - FT[A{i'' 



> 



e{n) 
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or 

Pr[^'(pr') = 1] - Pj[A'{i^') = 1] 

To complete the proof, we design the desired algorithm B as follows: first choose either A or A' at 
random and then simulate the chosen algorithm. It is easy to verify that B distinguishes between 
and t®^ with advantage at least e(n)/4. □ 




3 Application to a Quantum Public-Key Cryptosystem 

Section 121 has shown the useful cryptographic properties of QSCDjgr. Founded on these properties, 
we wish to construct a quantum PKC where the computational hardness of QSCD^f^ (which can be 
further reduced to the hardness of GA) guarantees its security. We start with an efficient quantum 
algorithm that generates from vr. 

Lemma 3.1 (p^T-Generation Algorithm) There exists a polynomial-time quantum algorithm 
that, on input vr G /C„, generates the quantum state with probability 1. 

Proof. The desired generation algorithm uses two registers and is given below. It is straightforward 
to verify the correctness of the given algorithm and we omit the correctness proof. 

(Gl) Prepare the state |0)|id) in two quantum registers. 

(G2) Apply the Hadamard transformation to the first register to obtain the state :^(|0) + |l))|i(i). 
(G3) Perform the Controlled-vr on the both registers and we obtain the state -^{\0)\id) + |l)|7r)). 
(G4) Subtract 1 from the content of the first register exactly when the second register contains tt. 

This process gives rise to the state -^{\0)\id) + |0)|7r)). 
(G5) Apply a uniformly random permutation a to the content of the second register from the left. 

The whole quantum system becomes -ij(|0)|(T) + |0)|(T7r)). 
(G6) Output the content of the second register. 

□ 

Hereafter, we describe our quantum PKG and give its security proof. For the security proof, we 
need to specify the model of adversary's attack. Of all attack models discussed in |7j, we choose a 
quantum analogue of the indistinguishability against the chosen plaintext attack ( IND- CPA ) and adapt 
the following "weakest" scenario: 

Alice (sender) wants to send a classical single-bit message securely to Bob (receiver) via 
a quantum channel. Assume that Alice and Bob are capable of running polynomial-time 
quantum algorithms. Bob first generates a certain quantum state as an encryption key. 
Alice requests him for his encryption key and then encrypts her message using the key. By 
making a request to Bob, Eve (adversary) also obtains numerous copies of his encryption 
key. Therefore, we can assume that Eve's attack concentrates on Alice's message trans- 
mission phase through the quantum channel. Eve intercepts Alice's encrypted message via 
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the channel and tries to decrypt it using polynomially-many copies of Bob's encryption 
key by applying polynomial-time quantum algorithms. 



Now, we explain our quantum PKC protocol in detail. Note that, in our protocol, Alice transmits 
a single-bit message to Bob using his 0(log n)-qubit-long encryption key. Our protocol consists of two 
phases: Bob's key transmission phase and Alice's message transmission phase. (See Figure 1.) 

p: 



Alice 


quantum channel 


Bob 






pI<^^p. 





Eve 



'p: 



Figure 1: our public- key cryptosystem 

Here is the precise description of our quantum PKC protocol. 
[Key transmission phase] 

(Al) Bob chooses a decryption key vr uniformly at random from /C„. 
(A2) Bob generates sufficiently many copies of the encryption key p^. 
(A3) Alice obtains a copy of the encryption key from Bob. 

[Message transmission phase] 

(A4) Alice encrypts or 1 into p+ or p^, respectively, and sends the encrypted message back to Bob. 
(A5) Bob decrypts Alice's message using the decryption key vr. 

Step (Al) can be implemented by first choosing different transpositions uniformly at random and then 
letting vr to be the product of these chosen transpositions. Step (A2) is done by the p^-generation 
algorithm of Lemma 13.11 The conversion algorithm of Lemma 12.71 implements Step ( A4) since Alice 
sends Bob either the received state or its converted state p~ . Finally, the distinguishing algorithm 
of Theorem 12. II implements Step (A5). 

The security of our PKC is proven by reducing GA to Eve's attack during the message transmission 
phase. Our reduction is a simple modification of the reduction given in Theorem 12.51 

Proposition 3.2 Let A be any polynomial-time quantum adversary who attacks our quantum PKC 
during the message transmission phase. Assume that there exist two polynomials p{n) and l{n) 
satisfying that 



Pr[^(p+,pr 

TT.A 



1]-Pr[^(p;,pr 

TT.A 



1 



> 



p{n) 



for infinitely many parameters n £ N. Then, there exists a polynomial-time quantum algorithm that 
solves GA in the worst case with non-negligible probability for infinitely many n's. 

Proof. The proposition immediately follows from the proof of Theorem 12.51 bv replacing p'^®^ , 
and i®^ in the proof with (p+, p+®'^"^), (/>", p^®'^"^), and (i, t®'(")), respectively □ 
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4 Generalization of QSCD^ 

In our QSCDj(^-based quantum PKC, Alice encrypts a single-bit message using an 0(n log n)-qubit 
encryption key. We wish to show how to increase the size of Alice's encryption message and construct 
a multi-bit quantum PKC built upon a generalization of QSCD^, called QSCDcyc (QSCD with cyclic 
permutations), which is the distinction problem among multiple ensembles of quantum states. Recall 
that Definition 11.11 has introduced the notion of computational indistinguishability between two en- 
sembles of quantum states. This notion can be naturally generalized as follows to multiple quantum 
state ensembles. 

Definition 4.1 We say that m ensembles {/Oo(0}/eN) •••) {/Om-i(0}/eN of quantum states are compu- 
tationally indistinguishable if, for any distinct pair i,j G Z^, the advantage between the two ensembles 
{pi{l)}i£N and {pj(0}«eN is negligible for any polynomial-time quantum algorithm A; namely, for any 
two ensembles {/Oi(0}/eN and {pjil)}ieN: any polynomial any polynomial-time quantum algorithm 
A, and any sufficiently large number /, we have 

1 



Pr[^(p.(/)) = 1]-Pr[^(p,(/)) = 1] 



The distinction problem among {po(0}ieN; {/'m-i (OlieN is said to be solvable with non-negligible 
advantage if the ensembles are not computationally indistinguishable; i.e., there exist two ensembles 
{/3i(0};eN and {pj{l)}ieN^ a polynomial-time quantum algorithm A and a polynomial p such that 

1 



Pr[^(p,(0) = l]-Pr[^(/5,(0) = 1] 



for infinitely many numbers I E N. 



We wish to define a specific distinction problem, denoted succinctly QSCDcyc among m ensembles 
of quantum states. For any fixed n € N, assume that m > 2 and m divides n. For each a G Sn, 



^ m— 1 



TT E /C™, and s G Z^, let 



where LOm = e^'^*/™'. Our new hidden permutation vr consists of disjoint n/m cyclic permutations of 
length m; namely, vr is of the form 

— (^0 il ' ' ' im—l) ' ' ' {j'n—m ^n— m+1 ' ' ' ^n— l); 

where is, it G and is ^ it s ^ t for any pair (s,t). Such a permutation vr has the following 
properties: (i) vr has no fixed points (i.e., 7r(i) / i for any i £ Z„) and (ii) vr is of order m (i.e., 
vr™ = id). For convenience, denote by /C^ C Sn the set of all such permutations. The distinction 
problem QSCDcyc is finally defined in the following way. 

Definition 4.2 The problem QSCDcyc is the distinction problem among m ensembles 

„gN of quantum states, where A; is a polynomial and the no- 
tation pn\n) denotes the mixed state ^ X^creSn ^or each vr G /C™. In particular, for any 
fixed k, we write k-QSCD eye- 
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As in the case of QSCD^f^, we also drop the parameter n wherever possible. Note that QSCD^g^ 
coincides with QSCDcyc with m = 2 and n = 2{2n' + 1) for a certain number n' S N. 

The generalized problem QSCDcj^c also enjoys useful cryptographic properties. We first present the 
trapdoor property of QSCDc^c- In the case of QSCD^gr, we embed only a single bit into the quantum 
states p'^ and . This is possible because its trapdoor information vr is a permutation of order two. 
Since vr is of order m > 2 in QSCDcj^c, "t- bits can be embedded into the quantum states p^^ , p^rT" ■ 

(s) 

Now, we present a distinguishing algorithm for p)r ■ 



Theorem 4.3 (Generalized Distinguishing Algorithm) There exists a polynomial-time quan- 
tum algorithm that, foi 
small error probability. 



tum algorithm that, for each n G N, vr € /C™, and s G Z^, decrypts pn\n) to s with exponentially- 



(s) 

Proof. Let x any given quantum state of the form p^r for a certain hidden permutation vr G /C^ 
and a hidden parameter s. Note that x is the mixture of pure states |*I?^s) over a randomly chosen 
a G Sn- It thus suffices to give a polynomial-time quantum algorithm that decrypts |<^^ ^) to s for any 
fixed a. Such an algorithm can be given by conducting the following Generalized ControUed-n Test, 
which is a straightforward generalization of the distinguishing algorithm given in Theorem 12.11 
[Generalized Control led-vr Test] 

(Dl') Prepare two quantum registers. The first register holds a control string, initially set to |0), and 
the second register holds the state \^'^ g)- ^PPly the inverse Fourier transformation to the 
first register. Meanwhile, assume that we can perform the Fourier transformation exactly. The 
total system then becomes 



1 """^ 1 

^ r=0 r,t 



r)|(J7r* 



(D2') Apply IT to the content of the second register from the right r times. The state of the total 
system now becomes 



m 

r,t 

(D3') Apply the Fourier transformation to the first register and we obtain the state 

m—1 

m 



1 1 """^ 

r-f V „/_n 



,st I „„r+t mod m\ 



r,t ^ r'=0 

st+rr' I /\ I ^_r+t mod m\ 



^3/2 

r,r't 



^ \ ^ , .s(r+t) I „\ I „„r+t mod m\ , ^ \ ^ st+rr' \t\\ „r+t mod m\ 

r,t r,t,r'f^s 
^ m—1 

= 7^E^^i«)i^-*) = 

(D4') Finally, measure the first register in the computational basis and output the result s in 
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The error probabihty of the above algorithm depends only on the precision of the Fourier transfor- 
mation over '^'tri' -^s shown in j!28j . the quantum Fourier transformation can be implemented with 
exponentially-small error probability by the approximated quantum Fourier transformation. There- 
fore, the theorem follows. □ 



Similar to QSCD^f^, the average-case hardness of QSCDcyc coincides with its worst-case hardness. 



Theorem 4.4 Let k be any polynomial. Assume that there exists a polynomial-time quantum al- 
gorithm A that solves /c-QSCDcyc with non-negligible advantage for a uniformly random vr S /C™; 
namely, there exist two numbers s, s' G and a polynomial p such that, for infinitely many numbers 

n G N, 

1 

p{n) ' 

where vr is chosen uniformly at random from /C™. Then, there exists a polynomial-time quantum 
algorithm B that solves /c-QSCDcj/c with non-negligible advantage. 



Pr[^(pW(n)®^(")) = 1] - Pr[^(/>(.'^')(n)®^(")) = 1] 



> 



Proof. Applying a uniformly random permutation r G Sn to from its right side and we 

obtain the state 

^ m—1 ^ m—1 ^ m—1 



t=o ^ t=o ^ t=o 

Note that ^Y^^cq I'^^'^-i I is an average-case instance of QSCDc,,c since T~^7rT is dis- 

tributed uniformly at random over /C™. The rest of the proof follows by an argument similar to the 
proof of Theorem 12.21 □ 

(s) 

We want to show a quantum algorithm that generates the quantum state piz efficiently from vr 
and s. This generation algorithm will be used to generate encryption keys in our QSCDcj^c-based 
multi-bit quantum PKC. 

Lemma 4.5 (p^^-Generation Algorithm) There exists a polynomial-time quantum algorithm 

(s) 

that generates pn for any s G and any vr G /C™ with exponentially-small error probability. 

Proof. The construction is based on a straightforward generalization of the p^-generation algo- 
rithm. We use the approximated Fourier transformation |2H1 instead of the Hadamard transformation. 
Note that the Fourier transformation over the cyclic group {id, 7r,7r^, ...,7r"^^^} can be efficiently 
approximated from vr by an argument similar to the proof of Lemma 13.11 using the approximated 
Fourier transformation. Such approximation enables us to perform with exponentially-small error 
probability the following transformation: 

m—1 



, /m ^ — * 



m 

t=Q 



Since the initial state |7r*) can be easily generated from vr, we immediately obtain the approximation 
of Ftj\tt^). By applying a uniformly-random permutation a £ Sn to the resulting state from the left, 
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we obtain the desired state p\ with exponentially-small error probability. □ 

Toward the end of this section, we present our multi-bit quantum PKC. 
[Key transmission phase] 

(Al') Bob chooses a decryption key vr uniformly at random from /C^. 
(A2') Bob generates the series {p^\ ■■■,p'^ of his encryption keys. 
(A3') Alice obtains the entire encryption keys from Bob. 
[Message transmission phase] 

(A4') Alice picks up p"^'^ for her message s G and sends p'-^^ back to Bob. 
(A5') Bob decrypts Alice's encrypted message using his decryption key vr. 

By choosing cycles one by one sequentially, we can perform Step (Al'). The pi** ''-generation algorithm 
of Lemma l4. 51 immediately implements Step (A2'). Note that Alice can encrypt her message s simply 
by choosing p^'^ from the series {p^^\ p^ of Bob's encryption keys. Finally, the generalized 
distinguishing algorithm in Theorem 14.31 achieves Step (A5'). 

A major drawback of our multi-bit encryption scheme is that Bob needs to send Alice all the 
encryption keys {p^\ p^ simply because of the lack of a sophisticated converting algorithm 
among different encryption keys without knowing a hidden decryption key vr. For comparison, recall 
the conversion algorithm for the QSCD^gr-based single-bit encryption scheme. This conversion algo- 
rithm utilizes the "parity" of a and air to invert their phase without using any information on vr. 
More precisely, the algorithm implements the homomorphism / from Sn to {-|-1,— 1} = Z/2Z satisfy- 
ing that /((t) = -|-1 (—1, resp.) if a is even (odd, resp.). Unfortunately, the same algorithm fails for 
QSCDcyc. This is seen as follows. Let us assume, to the contrary, that there exists a homomorphism 
g mapping Sn to {l,iOm, (= Z/mZ). The fundamental homomorphism theorem implies that 

Sn/^eT{g) = Z/mZ; namely, there exists an isomorphism from aKer{g) to g{a) for every a G Sn- 
Note that Ker{g) is a normal subgroup in Sn- It is known that such a normal subgroup in Sn equals 
either the trivial group {id} or the alternation group An- Apparently, there is no isomorphism between 
{o'An : cr G Sn} and 'LjrnL nor isomorphism between {a : a ^ Sn\ and TLjrnL if n > 4 and n > m > 2. 
This contradicts our assumption. 

5 Concluding Remarks 

The computational distinction problem QSCD^ has useful properties to design a quantum PKC whose 
security is guaranteed by the computational intractability of GA. Although GA is reducible to QSCD^f^, 
there seems a large gap between the hardness of GA and that of QSCD^f^ because all the combinatorial 
structures of input graphs in GA are completely lost in QSCD^f^. It is therefore pressing to find a nice 
classical problem (for instance, the problems of finding a centralizer or finding a normalizer |33]) which 
almost matches the computational hardness of QSCD^f^. Since no fast quantum algorithm is known for 
QSCDjf^, discovering such an algorithm may require new tools and novel proof techniques in quantum 
complexity theory. Besides our quantum states {p'^ (n), p^ (n)} in QSCD^, it is imperative to search 
for other simple quantum states whose computational indistinguishability is helpful to construct a 
more secure cryptosystem. 
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Similar to QSCD^, QSCDgyc owns useful cryptographic properties for which we have built a multi- 
bit quantum PKC. It is unfortunate that the intractability of QSCD c^^c and therefore the security of 
our multi-bit quantum PKC are not yet clear. If one proves that the worst-case hardness of QSCDcj/c 
is lower-bounded by, for instance, the hardness of GA, then our multi-bit quantum PKC might find 
more practical use. 
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Appendix: Reduction from GA to UniqueGA^f^ 

In this Appendix, we prove Lemma l2.6l Earlier, Kobler et al. j2Qj proved the polynomial-time Turing 
equivalence between GA and UniqueGA. We first review their reduction and then explain how to 
modify it to obtain the reduction from GA to UniqueGAjg^. Note that the reduction from UniqueGA^ 
to GA is trivial. 
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We begin with a technical tool and notations necessary to describe the reduction of Kobler et al. 
The reduction of Kobler et al. uses a technical tool called a label to distinguish each node of a given 
graph G from the others. The label j attached to node i consists of two chains, one of which is of 
length 2n + 3 connected to node i and the other is of length j connected to the n + 2-nd node of the 
first chain. (See Figure 2.) 

n+l n+l 

, ^ N , ^ ^ 

a><^ ^x>o- ^ 




Figure 2: label 

Note that the total size of the label j is 2n + j + 3. Let denote the graph obtained from G by 
attaching label 1 to node i. Similarly, j^.j is defined as the graph with labels 1, j respectively 

attached to nodes zi, Note that any automorphism of Gy^ maps the node i into itself and that 

any label adds no new automorphism into the modified graph. Let Aut{G) be the automorphism 
group of the graph G and let Aut(G)\^ j}^ be the point-wise stabilizer of in Aut{G\ i.e., 

Aut{G\_f^ = {a G Aut{G) : Vj G {1, = j]}. 

Kobler et al. proved the following theorem. For our later use, we give its proof. 

Theorem 5.1 |3U1 Theorem 1.31] GA is polynomial-time Turing reducible to UniqueGA. 

Proof. Given an oracle O for UniqueGA, the following algorithm solves GA in polynomial time. 
Let G be any given instance of GA. 

(Ul) Repeat (U2)-(U3) for each i starting with n down to 1. 
(U2) Repeat (U3) for each j ranging from i -|- 1 to n. 

(U3) Invoke O with input graph G[i j„i j] U G[i j_i ,,■]. If the outcome of O is YES, output YES 

and halt. 
(U4) Output NO. 

If G is an "YES" instance, there is at least one non-trivial automorphism. Take the largest 
number i G {l,...,n} such that there exists a number j G {l,...,n} and a non-trivial automor- 
phism vr G Aut{G^\^ j}^ for which 7r(i) = j and i ^ j. We claim that there is exactly one such 
non-trivial automorphism. This is seen as follows. First, note that ^?ii(G')[x....,i-i] is expressed as 
Atti(G)[i^ = 7ri^nt(G)ji^ j] + ••• + 7rd74ut(G)[i^ jj. For any two distinct cosets 7r<j74ut(G)[i^ jj 
and 'KtAut{G)yi^ {^ and for any two automorphisms a G 7rsAut(G)[i_ j] and a' G 'KtAut{G)yi j\, it 
holds that a{i) / Since j]| = 1 and there exists the unique coset -KkAutiG) such 

that a{i) = j for any a G ■nkAut{G) by the definition of i, we obtain |7rfcAut(G)[i^ j]| = 1. This im- 
plies that the non-trivial automorphism vr is unique. Note that the unique non-trivial automorphism 
interchanges two subgraphs G^i^. ^^j.i^j] and Therefore, the above algorithm successfully 

outputs YES at Step (U3). 

On the contrary, if G is a "NO" instance, then for every distinct i and j, the modified graph has 
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no non-trivial automorphism. Thus, the above algorithm correctly rejects such a graph G. □ 

Finally, wc describe the reduction from GA to UniqueGA^ by slightly modifying the reduction 
given in the above proof. 

Lemma 5.2 GA is polynomial-time Turing reducible to UniqueGAjgr. 

Proof. We only need to change the number of nodes to invoke oracle UniqueGAjQF in (U3). For such 
a change, we first modify the size of each label. Since the number m of all nodes G[i,...,j_i,i]UG[i . . 
is even, if there is no k such that m = 2{2k + 1) then we add one more node appropriately to the 
original labels. We then attach our modified labels of length 2n + i + 4 and 2n + j + 4 to nodes i and 
j, respectively. Obviously, this modified graph satisfies the promise of UniqueGAjQc Our algorithm 
therefore works correctly for any instance of GA. □ 
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